linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Mickaël Salaün" <mic@digikod.net>,
	"Florian Weimer" <fweimer@redhat.com>
Cc: "Al Viro" <viro@zeniv.linux.org.uk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Alejandro Colomar" <alx.manpages@gmail.com>,
	"Aleksa Sarai" <cyphar@cyphar.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	"Christian Brauner" <christian.brauner@ubuntu.com>,
	"Christian Heimes" <christian@python.org>,
	"Deven Bowers" <deven.desai@linux.microsoft.com>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"Eric Biggers" <ebiggers@kernel.org>,
	"Eric Chiang" <ericchiang@google.com>,
	"Geert Uytterhoeven" <geert@linux-m68k.org>,
	"James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>,
	"Jann Horn" <jannh@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Kees Cook" <keescook@chromium.org>,
	"Lakshmi Ramasubramanian" <nramas@linux.microsoft.com>,
	"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
	"Matthew Garrett" <mjg59@google.com>,
	"Matthew Wilcox" <willy@infradead.org>,
	"Miklos Szeredi" <mszeredi@redhat.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
	"Scott Shell" <scottsh@microsoft.com>,
	"Shuah Khan" <shuah@kernel.org>,
	"Steve Dower" <steve.dower@python.org>,
	"Steve Grubb" <sgrubb@redhat.com>,
	"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
	"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
	"Yin Fengwei" <fengwei.yin@intel.com>,
	kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v17 0/3] Add trusted_for(2) (was O_MAYEXEC)
Date: Wed, 01 Dec 2021 08:14:54 -0500	[thread overview]
Message-ID: <e91d238422f8df139acf84cc2df6ddb4fd300b87.camel@linux.ibm.com> (raw)
In-Reply-To: <4a88f95b-d54d-ad70-fb49-e3c3f1d097f2@digikod.net>

On Wed, 2021-12-01 at 10:23 +0100, Mickaël Salaün wrote:
> On 30/11/2021 21:27, Florian Weimer wrote:
> > * Mickaël Salaün:
> > 
> >> Primary goal of trusted_for(2)
> >> ==============================
> >>
> >> This new syscall enables user space to ask the kernel: is this file
> >> descriptor's content trusted to be used for this purpose?  The set of
> >> usage currently only contains execution, but other may follow (e.g.
> >> configuration, sensitive data).  If the kernel identifies the file
> >> descriptor as trustworthy for this usage, user space should then take
> >> this information into account.  The "execution" usage means that the
> >> content of the file descriptor is trusted according to the system policy
> >> to be executed by user space, which means that it interprets the content
> >> or (try to) maps it as executable memory.
> > 
> > I sketched my ideas about “IMA gadgets” here:
> > 
> >    IMA gadgets
> >    <https://www.openwall.com/lists/oss-security/2021/11/30/1>
> > 
> > I still don't think the proposed trusted_for interface is sufficient.
> > The example I gave is a Perl module that does nothing (on its own) when
> > loaded as a Perl module (although you probably don't want to sign it
> > anyway, given what it implements), but triggers an unwanted action when
> > sourced (using .) as a shell script.
> 
> The fact that IMA doesn't cover all metadata, file names nor the file 
> hierarchies is well known and the solution can be implemented with 
> dm-verity (which has its own drawbacks).

Thanks, Mickaël, for responding.  I'll go even farther and say that IMA
wasn't ever meant to protect file metadata.  Another option is EVM,
which addresses some, but not all of the issues.

thanks,

Mimi

> 
> trusted_for is a tool for interpreters to enforce a security policy 
> centralized by the kernel. The kind of file confusion attacks you are 
> talking about should be addressed by a system policy. If the mount point 
> options are not enough to express such policy, then we need to rely on 
> IMA, SELinux or IPE to reduce the scope of legitimate mapping between 
> scripts and interpreters.


  reply	other threads:[~2021-12-01 13:18 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-15 18:53 [PATCH v17 0/3] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2021-11-15 18:53 ` [PATCH v17 1/3] fs: Add trusted_for(2) syscall implementation and related sysctl Mickaël Salaün
2021-11-15 18:53 ` [PATCH v17 2/3] arch: Wire up trusted_for(2) Mickaël Salaün
2021-11-15 18:53 ` [PATCH v17 3/3] selftest/interpreter: Add tests for trusted_for(2) policies Mickaël Salaün
2021-11-30 10:35 ` [PATCH v17 0/3] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2021-11-30 20:27 ` Florian Weimer
2021-12-01  9:23   ` Mickaël Salaün
2021-12-01 13:14     ` Mimi Zohar [this message]
2021-12-01 16:40 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e91d238422f8df139acf84cc2df6ddb4fd300b87.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=alx.manpages@gmail.com \
    --cc=arnd@arndb.de \
    --cc=casey@schaufler-ca.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=christian@python.org \
    --cc=corbet@lwn.net \
    --cc=cyphar@cyphar.com \
    --cc=deven.desai@linux.microsoft.com \
    --cc=dvyukov@google.com \
    --cc=ebiggers@kernel.org \
    --cc=ericchiang@google.com \
    --cc=fengwei.yin@intel.com \
    --cc=fweimer@redhat.com \
    --cc=geert@linux-m68k.org \
    --cc=jack@suse.cz \
    --cc=jannh@google.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=madvenka@linux.microsoft.com \
    --cc=mic@digikod.net \
    --cc=mjg59@google.com \
    --cc=mszeredi@redhat.com \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=philippe.trebuchet@ssi.gouv.fr \
    --cc=scottsh@microsoft.com \
    --cc=sgrubb@redhat.com \
    --cc=shuah@kernel.org \
    --cc=steve.dower@python.org \
    --cc=thibaut.sautereau@ssi.gouv.fr \
    --cc=vincent.strubel@ssi.gouv.fr \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).